FEBRUARY 11, 2019
ORLANDO, FL
Keynote: Securing the
Consumer-Driven Revenue Cycle
www.HIMSSConference.org
#rethinkRCM
Plentiful Data
Personal Identifiable
Information (PII)
Protected Health
Information (PHI)
Payment Card
Information (PCI)
Patient Portal
Credentials
$1,500 +
Passport
$1,000 +
Drivers License
$20
Social Security
$1
Credit Card
$110
Debit Card
w/PIN
$150
Bank Details
$200 +
Source: Here’s How Much Your Personal Information is Selling for on
Dark Web -- Experian.com April 2018
Medical Record
$1,000 +
Phishing Malware Public Facing
Misconfig.
Nation-State Theft or Loss
Recent Data Loss
42,000 500,000 33,420 78.8m 605
Receive multiple bills
Follow-up visit with caregiver
Estimate of benefits hard to obtain
Follow-up info on patient portal
Receive survey about service
Receive clinical care call
Current State: Provider/Payer Centric
PRE-CARE
EXPERIENCE
POST-CARE
EXPERIENCE
POINT OF CARE
EXPERIENCE
Determine healthcare need
Search online for info (self-diagnose)
Find provider options and ratings
Call to make appointment
Wait
Fill out forms on paper
(possibly redundant)
Future State: Consumer Centric
END-TO-END
EXPERIENCE
Access
Navigate
Informed
Involved
Seamless
Transparent
Quality
Empathy
Engagement
Holistic
Digitally
Enabled
Virtual
hospital
Virtual visits
from home
Bridging Business and Security Requirements
END-TO-END
EXPERIENCE
Access
Navigate
Informed
Involved
Seamless
Transparent
Quality
Empathy
Engagement
Holistic
Digitally
Enabled
Unique Risks
CONSUMER REVENUE
CYCLE
Fraud
Breach
PCI
PHI
PII
Cloud
Vulnerability Management
Discover
Prioritize
Assets
Assess Report
Remediate
Verify
Attacker
Capability
Accessibility
Exploit
Vulnerabilit
y
Vulnerability Pathway
2004
GPCode
Encrypts files
on Windows OS
2006
Archievus appears
on Windows.
Trojan.Ransom.A
distributed
2010
Operation
Aurora
2012
Reveton
de buts
2015
LockerPin attacks
mobile devices.
Encoder, Chimera, Petya,
Mischa, Tox, Ransom32,
and CryptoLocker
2014
CrytoWall
distributed
CTB-locker & Sypeng
introduced
2017
WannaCry fast
spreading malware
NotPetya spreads fast
bent on destruction
2016
Jigsaw targets Macs.
SamSam, Petya, Mamba
Zcryptor, CryptXXX
introduced
Attacks are Growing in Frequency
Healthcare cyberattacks rose
320%
between 2015 and 2016
Healthcare most frequently
industry with
194
attacks per 1000 devices
Attacks are Growing in Sophistication
HIGH
HIGH
LOW
LOW
THREAT
SOPHISTICATION
Non-Malware
Malware
HACKTIVISM E-CRIME NATION-STATE
The Risks are Changing
Business Critical
Mission Critical Life Critical
Confidentiality Availability Integrity
PHI (HIPAA)
PII & PCI
Account Information
Billing & Payment Data
Intellectual Property
Clinical Trials
Research
Design & Formularies
Legal & HR Documents
Identities & Credentials
Clinical Systems
EHR & Speciality
Ancillary (PACS, Lab,
RX)
ePrescription/EPCS
Medical Devices
Availability of clinical
services and results
Business Systems
Email
Billing, Scheduling
Critical Patient Data
Scripts/Meds
Dosages
Allergies
History
Diagnosis
Alarms
Critical Technical Data
Calibration
Safety Limits
Patient Experience: “Patient Trust Zone”
Patient Harm Risk: “Patient Safety Zone”
Cloud Management
Identify and manage cloud
risk
Develop cloud data inventory
Develop cloud controls
Monitor
Detect and respond to Cloud
incidents
Carefully manage BAA
3
rd
Party reviews
Gain
Visibility
Common
Controls
Trust but
Verify
Monitor &
Investigate
Cloud Migration | 10 Considerations
Cost Effective Scalability
Compliance obligations by vendor
Effect of server crash
Security across the organization
Alignment with business goals
Support on multiple devices
Ability to provide complete solution
Type of cloud: Public, Private, or
hybrid
Hardware compatibility
Content management and governance
Data Classification
Data Protection
Inventory
Encryption
Data Loss
Prevention
(DLP)
Detection
Application Security
Secure Software
Development
Life Cycle
Internet
Awareness
Application
Segmentation
Consumer Oriented Security
Key Takeaways
1) Be an enabler of healthcare consumerism.
2) Aid the business in the healthcare home transition.
3) Reduce cyber friction for the business and consumers.
4) Prepare and design mature processes into cloud
endeavors.
5) Always partner with the business to enable its success.
www.HIMSSConference.org
#rethinkRCM
Karl J. West, CISO
Intermountain Healthcare
@intermountain